Cyber-Attacks on Utilities Highlight Need for Strong Rules: Lawmakers

By Robert Lemos |
Posted 2013-05-23

Electric utilities suffer "daily" and "constant" probes by online attackers, threatening the generation and distribution capabilities that provide power to more than 300 million Americans, according to a survey of providers conducted by the staffs of two members of the U.S. House of Representatives.

The survey, sent to electric companies and cooperatives by the congressional staffs of congressmen Edward J. Markey and Henry A. Waxman, found that most utilities complied with required cyber-security standards but only a minority had adopted voluntary recommendations.

"National security experts say that cyber-attacks on America’s electric grid top the target list for terrorists and rogue states, yet we remain highly vulnerable to attacks," Rep. Markey, a senior member of the Energy and Commerce Committee, said in a statement announcing the report's publication. "We need to push electric utilities to enlist all of the measures they can now, and push for stronger standards in Congress that will keep our economy and our country safe from cyber-warfare."

Security experts have warned for at least half a decade about the dangers posed by online attacks to the vulnerable systems used to manage water, power and other critical components of modern life.

The warnings have become more strident this year since the discovery of an increasing number of probes of utilities' networks and a destructive attack on oil giant Saudi Aramco that deleted data on approximately 30,000 systems. In March, executives and industry experts complained that few government agencies or companies shared information about the best security measures to protect infrastructure.

"These companies are increasing the amount of threat every day by modernizing their systems and connecting them to the Internet," Julian Waits, Sr., CEO of endpoint-protection firm ThreatTrack Security, told eWEEK. Waits formerly worked in compliance, ensuring that utilities and other firms adhered to regulations. "It's been five years since I've played in that game and I thought we would have made more progress by now."

The two Congressmen sent out the survey to more than 150 utilities and more than 60 percent of the companies and cooperatives responded. The legislators aimed to reignite interest in a bill, known as the GRID Act that aims to give the Federal Energy Regulatory Commission (FERC) the power to set and enforce regulations.

"Numerous security experts have called on Congress to provide a federal entity with the necessary authority to ensure that the grid is protected from potential cyber-attacks and geomagnetic storms," the congressmen stated in the report. "Despite these calls for action, Congress has not provided any governmental entity with that necessary authority."

While no utility had reported any significant damage from the attacks, the survey’s analysis questioned whether the lack of an incident could be due to inadequate reporting of breaches.

"Most respondents [who] indicated that they follow standard requirements for reporting attacks to state and federal authorities, did not describe the circumstances under which these requirements would be triggered, but largely indicated that the incidents they experienced did not rise to reportable levels," the report stated.